BGP 4byte ASN Vulnerable to DoS on Cisco IOS, IOS XE – Fix Released

4byte ASN (autonomous system numbers) was incorporated into most BGP routers recently. Since we are running out of ASN no. given to service providers, authority have stopped using previous Internet 2byte BGP ASN routing Updates.

The newly found vulnerabilities affect only devices running Cisco IOS and Cisco IOS XE Software (here after both referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP routing.

This feature has a critical vulnerability on all recent IOS that support it. Cisco last week issued — and today updated — a security advisory for its IOS software.

Cisco IOS supporting RFC 4893 for four octet AS number spaces in BGP are susceptible to denial of service attacks when handling BGP updates. There are two DoS vulnerabilities in the software, according to the advisory:

1. Vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.

2. Vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.

Workaround – Configuring “bgp maxas-limit [value]” on the affected device does mitigate this vulnerability. Cisco recommends using a conservative value of 100 to mitigate this vulnerability.

Cisco says it released free software updates to address these vulnerabilities. There are no workarounds available for the first vulnerability, software upgrade is necessary.